The notorious Clop ransomware group has intensified its operations, launching a new extortion campaign targeting 66 companies. By exploiting a zero-day vulnerability (CVE-2024-50623) in Cleo LexiCom and related products, Clop demands ransoms while threatening to leak sensitive data. To understand their tactics and protect against such attacks, organizations need to take proactive steps now.
The Clop Ransomware Extortion Scheme
Clop has issued a 48-hour ultimatum to affected companies, threatening full exposure of sensitive data if victims fail to respond. On their dark web leak portal, the group reveals partial names of non-compliant organizations to increase pressure.
How Clop Operates:
- Exploitation of Zero-Day Vulnerabilities: Clop exploits CVE-2024-50623 to infiltrate file transfer products such as Cleo LexiCom, VLTrader, and Harmony.
- Unrestricted File Access: Attackers gain the ability to upload and download files, paving the way for remote code execution.
- Dark Web Negotiations: Clop opens secure chat channels for ransom discussions and directs victims to initiate payment.
Additionally, their tactics reflect a clear focus on exploiting essential platforms, making it crucial for companies to stay vigilant.
Affected Products and Users
Cleo Harmony, VLTrader, and LexiCom, which serve over 4,000 organizations globally, are central to this campaign. Although Cleo released version 5.8.0.21 with a security patch, Huntress researchers revealed that the fix could be bypassed, raising concerns about continued exploitation.
Key Products Targeted by Clop:
- Cleo Harmony
- VLTrader
- LexiCom
Since these platforms are critical for file transfers, securing them must become a priority for all users.
Identifying Victims and Scale
Macnica researcher Yutaka Sejiyama explained that partial company names published by Clop often correlate with publicly exposed Cleo servers. Consequently, the true scale of this breach could extend far beyond the 66 organizations Clop has named.
How to Protect Against Clop Ransomware
- Apply Security Updates: Install the latest patches for all Cleo products to close security gaps.
- Restrict Network Exposure: Limit file transfer platforms’ accessibility to internal or trusted networks only.
- Monitor Logs for Anomalies: Look for unusual file uploads or downloads as indicators of compromise.
- Educate Employees: Provide training to help employees recognize phishing attempts and avoid malicious links.
Pro Tip: Combine employee training with endpoint detection tools for a comprehensive defense against ransomware threats.
Conclusion:
Clop ransomware continues to exploit vulnerabilities in widely used file transfer platforms, posing significant risks to organizations worldwide. However, by understanding their methods and acting swiftly, companies can mitigate these threats. Secure your systems, apply patches, and educate your team to build a robust defense against evolving ransomware campaigns.